Connect to a Kerberized CDH Cluster
A secure CDH Cluster uses Kerberos authentication to validate and confirm access requests. You can set up Composer to connect to the secure CDH Cluster using the instructions provided below. Before establishing a connection to either type of cluster, review the prerequisites and be sure to obtain your Kerberos credentials.
- Obtain Kerberos Credentials
- Configure an Impala Connector
- Configure a Cloudera Search Connector
- Connect to a Kerberized Data Source
- Use TLS Encryption with Kerberos Authentication
Prerequisites
- To enable Kerberos for CDH distribution using Cloudera manager, see Cloudera's documentation Configuring Authentication in Cloudera Manager.
- Kerberos authentication requires precise time correspondence on all instances to work properly. You need to enable the Network Time Protocol service in your network. For more information, access the topic Using the Network Time Protocol to Synchronize Time.
Obtain Kerberos Credentials
Each microservice must have its own unique identifier called a principal. Perform the following steps:
Install the Kerberos client on the machine where Composer Impala connector is installed.
Generate the Kerberos principal and corresponding keytab for Composer microservice. Before you proceed, make sure that:
- Composer or a Connector is running on a node with proper Kerberos configuration:
/etc/krb5.conf
or similar location for your Linux distribution. - The Kerberos realm on your environment is the same as the realm specified in the
kdc.conf
file from Impala server.
- Composer or a Connector is running on a node with proper Kerberos configuration:
Check the Kerberos configuration (that is,
krb5.conf
) and validity of the principal and keytab pair using MIT Kerberos client:kinit -V -k -t zoomdata_principal .keytab zoomdata_principal@KERBEROS.REALM
Make the keytab accessible for the Composer Server or a connector:
sudo mkdir /etc/zoomdata
sudo mv zoomdata_principal.keytab /etc/zoomdata
sudo chown zoomdata:zoomdata /etc/zoomdata/zoomdata_principal.keytab
sudo chmod 600 /etc/zoomdata/zoomdata_principal.keytab
Configure an Impala Connector
Create or update the file named
/etc/zoomdata/edc-impala.properties
. If this file already exists, verify that the information below exists in the file:kerberos.krb5.conf.location=/etc/krb5.conf
kerberos.service.account.authentication=true
kerberos.service.account.principal=zoomdata_principal@KERBEROS.REALM
kerberos.service.account.keytab.location=/etc/zoomdata/zoomdata_principal.keytabRestart the Impala connector:
sudo systemctl restart zoomdata-edc-impala
Configure a Cloudera Search Connector
Create or update the file named
/etc/zoomdata/edc-cloudera-search.properties
. If this file already exists, verify that the information below exists in the file:kerberos.krb5.conf.location=/etc/krb5.conf
kerberos.service.account.authentication=true
kerberos.service.account.principal=zoomdata_principal@KERBEROS.REALM
kerberos.service.account.keytab.location=/etc/zoomdata/zoomdata_principal.keytabRestart the Cloudera Search microservice:
sudo systemctl restart zoomdata-edc-cloudera-search
Connect to a Kerberized Data Source
You are now ready to create the Cloudera Search or Impala source:
Open a new browser window and log into Composer.
Select Sources.
Select Cloudera Search or Impala.
Specify the name of your source and add a description (if desired). Select .
On the Connection tab, define the connection source. You can use an existing connection, if available, or create a new one. To create a new connection, select the Input New Credentials option button and specify the connection name and JDBC URL. Make sure that you enter the JDBC URL in the correct format.
For Impala, specify:
jdbc:hive2://<impala_host>:21050/;principal=<impala_principal@KERBEROS.REALM>
For Cloudera Search, specify:
cloudera.domain:2181/solr
The JDBC URL for Cloudera Search needs to be the zookeeper URL of the Kerberized cluster.
Replace the placeholders as follows:
- For <impala_host>, enter the IP address/host name of the Impala node you are connecting to.
- For <impala_principal@KERBEROS.REALM>, enter the principal of the node you are connecting to. To get the list of all Impala principals, navigate to Cloudera Manager > Administration > Security > Kerberos Credentials.
Select. After successful validation, the values are saved. Select .
If you run into connection issues, verify that the Composer Server was restarted successfully. Access the troubleshooting topic Verify the Composer Server Restart for assistance.
You can continue configuring the data source as needed.
After you have completed the configuration, Composer begins accessing the data source using zoomdata_principal@KERBEROS.REALM
authenticated by its keytab in /etc/zoomdata/zoomdata_principal.keytab
.
Use TLS Encryption with Kerberos Authentication
See Connect to Impala with TLS (SSL) Enabled for more details.
Comments
0 comments
Please sign in to leave a comment.